National Lottery confirms people’s personal information may have been accessed in the attempted hack

Published:09:38Updated:09:39Wednesday 30 November 2016

Share this article

National Lottery operator Camelot has this morning revealed they are aware of “suspicious activity” which has been detected on a number of players’ online accounts.

The Camelot Group has reassured users of their website that there has been “no unauthorised access to core National Lottery systems” but said “we believe that the email address and password used on the National Lottery website may have been stolen.”

A statement published by Camelot said: “On 28 November 2016, as part of our online security monitoring, we became aware of suspicious activity on a very small proportion of our players’ online National Lottery Accounts.

“We would like to make clear that there has been no unauthorised access to core National Lottery systems or any of our databases, which would affect National Lottery draws or payment of prizes. In addition, no money has been deposited or withdrawn from affected player accounts.

“We are currently taking all the necessary steps to fully understand what has happened, but we believe that the email address and password used on the National Lottery website may have been stolen from another website where affected players use the same details.

“We do not hold full debit card or bank account details in National Lottery players’ online accounts and no money has been taken or deposited. However, we do believe that this attack may have resulted in some of the personal information that the affected players hold in their online account being accessed.

“Of our 9.5 million registered online players, we believe that around 26,500 players’ accounts were accessed. A much smaller number – fewer than 50 – have had some activity take place within the account since it was accessed. This was limited to some of their personal details being changed – and some of these details may have been changed by the players themselves. However, we have taken the measure of suspending the accounts of these players and are in the process of contacting them to help them re-activate their accounts securely. In addition, we have instigated a compulsory password reset on the accounts of the 26,500 affected players. We are in the process of proactively contacting them to help them change their passwords, as well as giving them some more general online security advice.

“Cyber criminals such as this are persistent, and we are continuing to monitor and protect our systems. We are also working closely with the National Crime Agency and the National Cyber Security Centre on an ongoing basis on this criminal matter.

“We’d like to reassure our customers that protecting their personal data is of the utmost importance to us. We are very sorry for any inconvenience this may cause to our players and would like to encourage those with any concerns to contact us directly, so we can discuss it with them in more detail.”